ForensicFocus. The anatomy of an anti-bribery and corruption risk assessment Part 2 Leading practices from around the globe

Transcription

1 ForensicFocus The anatomy of an anti-bribery and corruption risk assessment Part 2 Leading practices from around the globe Today s reality There is significant guidance stressing the importance of addressing the Foreign Corrupt Practices Act (FCPA) and other similar antibribery and corruption (ABC) regulations through a company s compliance program, but companies are seeking additional assistance with developing their own specific risk-based ABC program tailored to their needs. Such companies seem to have a general awareness that conducting an ABC risk assessment is a starting point for designing or updating their overall ABC program, but these companies continue to seek detailed information on leading practices for how to develop and conduct this specific type of risk assessment. While there is no one size fits all approach to ABC risk assessments, there are some similar steps and concepts tested by global organizations that continue to have success in the quest for a structured, risk-based ABC risk assessment approach. Setting the stage This paper is the second in a two-part series. The first paper, Laying the groundwork, discusses the building blocks for an ABC risk assessment, such as defining that term, understanding who should be involved in the process, and which individual/department should take the lead. This second paper dives deeper into the process by outlining some practical pointers as well as challenges that have been encountered by others in executing the same process. While this list is not comprehensive, and may not address every issue a company may be facing in this area, the goal to bring insight to those that may be wrestling with the issue of ABC risk assessment development. This paper is meant to be one point in the continuing conversation on developing and refining ABC programs in the face of changing risks. Compliance fatigue is real In the face of a constantly evolving risk environment, a company is likely to simultaneously undertake multiple risk assessments covering different risk areas. A few examples include enterprise risk assessments, fraud risk assessments, compliance risk assessments, and IT security risk assessments. Stakeholders struggle with what may seem like an unending amount of risk assessment surveys and process questions. When people feel like they are revisiting the same discussions over and over again, and are being pulled away from their daily responsibilities, they often experience compliance fatigue. While there is not a magic answer for addressing compliance fatigue, understanding that this condition exists and applying strategic coordination can help. Planning a comprehensive enterprise-wide approach is key. By spacing out the different risk assessment processes and limiting duplication of effort, a company can create an environment where a fresh approach is applied and valuable input is received for each of the ForensicFocus 1

2 important and distinct risk assessments. Without such coordination on the front end, the ABC risk assessment may not receive the attention it deserves in order to determine the true ABC risk profile. And without the detailed findings of the risk assessment, the company will not have the strong baseline understanding of bribery and corruption risks to drive the overall ABC program. You don t have to be an expert but you have to ask the right questions Bribery and corruption risks manifest themselves across the organization, including in specialized compliance areas that may not be readily known to all within the group tasked with leading the ABC risk assessment. For example, Health, Safety, and Environment (HSE) can be an important area from a bribery and corruption risk perspective (e.g., obtaining permits or licenses for manufacturing facilities). However, this area often sits in a separate silo from the overall compliance efforts, and, as a result, doesn t always have adequate compliance attention. The leader or leaders of the ABC risk assessment process do not have to be experts in all areas of bribery and corruption risk, like HSE, but they do need to have a working knowledge of potential risks, and, perhaps more importantly, be able to probe and ask questions specific to government interactions among all the different, and potentially siloed, departments or groups within their organization. It s all in the survey design A helpful tool for beginning any ABC risk assessment can be a survey that asks a series of questions about the perceived potential for government interaction. A survey can be a cost-effective way to expand the base of participants in the ABC risk assessment by connecting with employees all around the world to gather input on where the company is exposed to bribery and corruption risks. The design of the survey is paramount. The survey should ask general, easily-understood questions, and not contain complex legal nuances, or difficult terms like third-party intermediaries, which could be interpreted differently by various groups of people and may cause confusion. Instead, explanations or nuance can be further examined as part of follow up conversations. A well-crafted survey takes time, as the survey owners must think of their global audience and challenge themselves to understand if the question is as clear as it can possibly be. Training to minimize GIGO The phrase, Garbage in, Garbage out is applicable in the realm of ABC risk assessments. Even the best designed survey may yield inadequate results if the stakeholders completing the survey do not have a strong understanding of the topic. One clear example is the definition of a state owned enterprise (SOE). We have seen examples where a location did not know that certain customers visiting from other locations, (e.g., China) were owned by the government, and thus entertainment of these customer representatives could give rise to a bribery and corruption risk. To address these concerns and to provide the best environment for a robust ABC risk assessment process, training should be provided in a short window just before the ABC risk assessment takes place. This training would reinforce key ABC risk concepts, including company policies and procedures, which are relevant to identifying and mitigating bribery and corruption risks. Foster an open culture with two-way communication Bribery does occur. It may be occurring in some form in your organization right now. If you are part of a global organization, it is likely that at least one of your employees has been approached about providing bribes. While this is an unfortunate reality of global business, the vast majority of employees want to do the right thing and are looking for the tools to address this issue when it arises. In-person training sessions that involve substantial dialogue about business issues local employees might face can be one of the best tools in the risk assessment process. Open dialogue with those that are on the front lines helps to create a culture where employees understand that having a perfect location without any risk exposure isn t expected or even possible. What is expected is that each location understands the serious nature of these risks and takes personal responsibility for identifying and reporting their own bribery and corruption risks. Whether it be paying local utility officials to keep the lights on, paying local police to prevent a company vehicle from being impounded, or paying a fee to cut through red tape for licenses or permits, the company should help employees understand it is okay to report where they see bribery and corruption risk exposure. These issues cannot be addressed if they are not brought to light.

3 Follow-up conversations are important Even the best designed survey can be returned with ambiguous answers. As a result, a survey should just be one tool for completing an ABC risk assessment. It is essential that time be factored into the process to allow for follow-up questions based on responses that indicate the potential for bribery and corruption risks. Such follow-up conversations provide more context and a deeper understanding of the true bribery and corruption risks present in a given jurisdiction where the company does business. Not all ambiguous answers to the survey require follow up, as that determination will be based on the level of the potential ABC risk associated with the statement in question. However, having a structured approach to identifying answers in the survey requiring more information before finalizing the company s ABC risk exposure is an important step. Allow for reporting of mitigation In addition to helping the company understand the impact of bribery and corruption risks, we have seen that employees will potentially open up more if they are given the opportunity to discuss their mitigation steps for identified risks. For example, employees might have established an informal process of ensuring at least two company representatives are present whenever a surprise government inspection occurs. This informal process may not be known at the corporate level, and wouldn t be known unless the question was asked: What do you do to mitigate the risk of bribery in their country? By allowing employees to stress the ways they mitigate bribery and corruption risks, you can encourage positive behavior and foster greater buy-in for the process. A company may also get the benefit of leveraging some of the information collected from such employees to share with other regions and further strengthen the overall ABC program. Finding ways to foster open dialogue and reinforce the positives can facilitate a richer discussion for identifying true bribery and corruption risks.

4 Leveraging data analytics and internal audit It is usually easier to talk about specific cases rather than the abstract, and discussing bribery and corruption risks is no different. By leveraging focused analytics, especially transaction testing for key risk areas such as sales agents, customs and logistics, licenses and permits, or consulting costs, a region or location can identify the different business relationships that may give rise to bribery and corruption risks. The volume of these transactions can also help as a company tries to determine the likelihood or impact of a specific bribery and corruption risk. This testing, or other testing relevant to bribery and corruption risk areas, may already be performed by internal audit. Ensuring the team focused on the ABC risk assessment involves internal audit can add efficiency to the process. Results are in, now what? Survey data, results from data analytics, and additional qualitative or quantitative information obtained are all just data points to be considered in the full ABC risk assessment process. 1 Once a company has this information, it will need to have a structured approach to quantify likelihood and magnitude of identified risks. For example, the potential impact will vary based on the level of risk paying a small sum to a public utility employee in a remote location to keep a plant s lights on would have substantially less impact than funneling money through an agent to secure a lucrative government contract. Because of familiarity with the subject of applying risk ratings, the ABC risk assessment team may want to coordinate with internal audit or other financial or fraud controls groups if such individuals are not already key team members for this process. Assigning the likelihood and magnitude of a particular risk can be subjective, so a company may want to leverage individuals performing the same type of subjective assessments for other risk areas to be able to show a coordinated and structured company-wide methodology that minimizes the subjective nature as much as possible. Are we done yet? Once the bribery and corruption risks are identified and weighted, then the true work can begin. First, the team needs to assign responsibility for mitigating the identified risks. The risks can be separated based on the level of ownership and that can be addressed at: The Corporate level (e.g. policies and procedures or monitoring) A Regional level (e.g. nuanced items including gifts and entertainment) The local level (e.g. implementation of procedures for different ERP systems). Once responsibility is assigned, the appropriate remediation steps and monitoring to address the bribery and corruption risks can be executed. The ABC risk assessment is a process that should be repeated, but the frequency depends on the company s specific ABC risk profile. 2 Because the first ABC risk assessment will be the most robust and comprehensive, future assessments can focus on any changes to the initially identified bribery and corruption risks, such as entering of new markets, change in the SOE customer base, new plant construction, etc. 3 No matter the frequency, the completion of the initial ABC risk assessment starts the planning process for the next iteration. To facilitate that future process, a company should centrally store documentation related to the risk assessment, including anything from events identified between risk assessments that should impact the next version. 1 See the Anti-Corruption Ethics and Compliance Handbook for Business, published by the OECD, along with UNODC and the World Bank, (the OECD Handbook ) 2013, pp. 11 discussing Step 3: Rate the Inherent Risk. 2 See A Resource Guide to the U.S. Foreign Corrupt Practices Act, published in 2012 by the DOJ and SEC, p.5 Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability, and 3 See the OECD Handbook at 14, There also may be triggering events such as entry into new markets, significant reorganisations, mergers, and acquisitions that will create opportunities for refreshing the risk assessment. ForensicFocus 4

5 A plan for moving forward While there is no one size fits all approach to ABC risk assessments, there are some similar steps and concepts that continue to work in the quest for a structured ABC risk assessment approach. Establish a strong core team led by an individual with sufficient authority to execute the project Allow for sufficient time to plan the ABC risk assessment, including determination of locations/ stakeholders to involve in the process Collect relevant data to obtain an initial understanding of ABC risks in countries where the organization does business, including the Corruption Perception Index (CPI) scores, the regulatory landscape, and the political environment Utilize a carefully-crafted ABC survey to reach global locations Supplement the survey with in-person communications, training sessions, and data analytics Provide a feedback loop so employees can discuss bribery and corruption risks and mitigation openly Have a clear process for assigning the mitigation efforts for risks identified among the different levels of the organization (Corporate, Regional, Local) Develop a consistent update cadence for future ABC risk assessments Prepare for the unknown, as issues will likely be identified during the process Time spent on front-end to think through each of the steps will pay off greatly with a more focused ABC risk assessment approach that creates a defined set of bribery and corruption risks that are most important for the company to mitigate. Contact us Amanda Rigby Principal, U.S. Forensic Services Leader T: E: amandarigby@kpmg.com AUTHORS Matthew Dixon Director, Forensic Services T: E: mdixon@kpmg.com Monica Nitoiu Manager Forensic Services T: E: monicanitoiu@kpmg.com Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities. kpmg.com/socialmedia KPMG does not provide legal services. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG